Summary: | <media-gfx/graphviz-2.47.1: Multiple vulnerabilities (CVE-2019-9904, CVE-2020-18032) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam, soap, zlogene |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.com/graphviz/graphviz/-/issues/1512 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
media-gfx/graphviz-2.47.1
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2019-05-01 00:29:27 UTC
Commit that should fix this issue: https://gitlab.com/graphviz/graphviz/-/commit/360ff9ef3a1829edbbf6f27b6b3543cc40b2773b (In reply to Azamat H. Hackimov from comment #1) > Commit that should fix this issue: > https://gitlab.com/graphviz/graphviz/-/commit/ > 360ff9ef3a1829edbbf6f27b6b3543cc40b2773b Was this ever an issue? Seems like maintainer couldn't reproduce on Linux and the tested environment was Windows. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b762a11ed8579ad0de77bc9f2873026bb3505696 commit b762a11ed8579ad0de77bc9f2873026bb3505696 Author: David Seifert <soap@gentoo.org> AuthorDate: 2021-04-24 11:01:04 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2021-04-24 11:01:04 +0000 media-gfx/graphviz: Bump to 2.47.1 Bug: https://bugs.gentoo.org/684844 Closes: https://bugs.gentoo.org/723286 Closes: https://bugs.gentoo.org/770067 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: David Seifert <soap@gentoo.org> media-gfx/graphviz/Manifest | 1 + .../graphviz/files/graphviz-2.47.1-bashisms.patch | 12 + media-gfx/graphviz/graphviz-2.47.1.ebuild | 277 +++++++++++++++++++++ 3 files changed, 290 insertions(+) Thanks! Please proceed with stabilization when ready. * CVE-2020-18032 Description: "Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component." Bug: https://gitlab.com/graphviz/graphviz/-/issues/1700 Ping As java seems to be ruled out should be good to go. amd64 done ppc64 done arm64 done arm done x86 done Looking good on ppc. # cat graphviz-684844.report USE tests started on So 9. Mai 13:46:42 CEST 2021 FEATURES=' test' USE='' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo -devil -doc examples -gtk gts -guile lasi nls pdf perl -postscript -python -qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo -devil doc -examples -gtk gts guile -lasi nls -pdf perl -postscript -python qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk gts guile lasi -nls -pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo devil -doc examples -gtk -gts guile -lasi nls pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc examples -gtk gts guile lasi -nls -pdf perl -postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk -gts guile lasi -nls pdf perl postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo devil -doc -examples gtk gts -guile -lasi nls -pdf -perl -postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc -examples -gtk gts guile -lasi -nls -pdf -perl postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk -gts -guile -lasi -nls -pdf perl -postscript -python qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo devil -doc -examples -gtk gts guile lasi -nls pdf -perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo devil doc examples gtk -gts guile lasi -nls pdf perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc examples gtk gts guile -lasi nls -pdf perl -postscript -python qt5 ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 revdep tests started on So 9. Mai 15:17:35 CEST 2021 FEATURES=' test' USE='dot' succeeded for app-doc/doxygen FEATURES=' test' USE='graphviz' succeeded for dev-util/quilt FEATURES=' test' USE='graphviz' succeeded for media-gfx/imagemagick FEATURES=' test' USE='' succeeded for dev-python/pydot FEATURES=' test' USE='' succeeded for dev-python/objgraph FEATURES=' test' USE='valadoc' succeeded for dev-lang/vala FEATURES=' test' USE='' succeeded for dev-tex/dot2tex FEATURES=' test' USE='' succeeded for dev-python/pygraphviz FEATURES=' test' USE='' succeeded for media-gfx/xdot ppc done (In reply to ernsteiswuerfel from comment #13) > Looking good on ppc. > Thank you! hppa/sparc stable New GLSA request filed. Unable to check for sanity:
> no match for package: media-gfx/graphviz-2.47.1
This issue was resolved and addressed in GLSA 202107-04 at https://security.gentoo.org/glsa/202107-04 by GLSA coordinator John Helmert III (ajak). |